Home page logo
/

bugtraq logo Bugtraq mailing list archives

Entrust Bulletin E01-005: GetAccess Access Service vulnerability
From: Eric Skinner <Eric.Skinner () entrust com>
Date: Mon, 5 Nov 2001 09:23:56 -0500

Entrust Security Bulletin E01-005
=================================

Entrust GetAccess(tm) Access Service Vulnerability


SUMMARY:
========

A vulnerability has been identified in Entrust GetAccess that could allow
unauthorized retrieval of files on certain GetAccess web servers. Entrust
recommends installation of the patch described below, which addresses this
vulnerability.

Impact of vulnerability: 

This vulnerability could potentially result in the unauthorized retrieval of
some files hosted on impacted web servers. Servers running the GetAccess
Access Service are impacted; others running GetAccess runtimes and other
services are not. Typical customer deployments store sensitive content on
GetAccess runtime servers, therefore reducing the impact of this
vulnerability. 

Solution:

Entrust has a made a patch available on the GetAccess support extranet at
the location listed below. A workaround also exists, described below.

Affected Configurations:

- Versions: Entrust GetAccess, all versions
- Platforms: All
- Services: Entrust GetAccess Access Service


TECHNICAL DETAILS:
==================

GetAccess provides a localization mechanism that allows its HTML pages (used
for logout sequences, error messages, timeout messages, and the like) to be
localized using different language-specific templates.  This mechanism takes
in as an argument a query string name-value pair of the format
"LOCALE=XX_XX", where XX_XX corresponds to the name of the sub-directory
within the GetAccess directory structure that contains the appropriate HTML
templates.  GetAccess uses this information to build the directory path and
select the appropriate files.

The vulnerability arises if a user manually substitutes an arbitrary
directory path for the XX_XX value.  The localization mechanism is
vulnerable in the following GetAccess Access Service capabilities:

- The process which drives localized user help during login (if the user 
  clicks the "Help" link on a login screen)
- The process which drives the "About" screen that drives GetAccess 
  version information.

All other GetAccess processes that support the localization mechanism do not
contain this vulnerability.


MITIGATING FACTORS:
===================

- The only files that are potentially exposed are the ones that the web 
  server has permission to access.
- This vulnerability is limited to file retrieval only.  It is not 
  possible to exploit this vulnerability to upload files/data or to execute 
  arbitrary code on the web server.
- Only files on the Access Service machine(s) are potentially at risk of 
  exposure.  The most common deployment architecture segregates the Access 
  Service from web servers hosting any sensitive application data.


PATCH AVAILABILITY:
===================

A patch is available now on the GetAccess support extranet at the following
address: 
https://login.encommerce.com/private/docs/techSupport/Patches-BugFix


WORK-AROUNDS:
=============

If the patch above is applied, the following work-arounds are not required.

- The following files can be removed from GetAccess Access Service hosts, 
  eliminating the vulnerability. Note that the patch above corrects the 
  vulnerability in these scripts and eliminates the need to delete the 
  scripts.
     
     helpwin.gas.bat: this script is referenced by the "Help" link on 
     GetAccess login screens. These links could be replaced with 
     alternative HTML help pages not driven by the GetAccess help script.

     AboutBox.gas.bat: This script drives the "About" box that displays 
     GetAccess version information. 

- As part of normal security policy, customers should not store sensitive 
  data on GetAccess Access Service hosts.  Web servers hosting such data 
  should be secured using the GetAccess Runtime, which is not affected 
  by this vulnerability.  Almost all Entrust GetAccess customers choose 
  to deploy in this sort of configuration even in the absence of this 
  vulnerability.

- If the Access Service component is co-located on a web server hosting 
  sensitive files, the Access Service can be segregated to a dedicated 
  server in order to minimize the potential exposure.  

- File permissions should be set such that all files not explicitly needed 
  by the web server are inaccessible to the user account under which the web

  server runs (in keeping with industry best practice).

- Impacted Components: Only GetAccess servers running the Access Service 
  component are affected.   Web servers hosting secure content protected 
  by the GetAccess Runtime are not affected.


SUPPORT:
========

Entrust customer support, including after hours service is available by
phone as follows:

North America:  1-877-754-7878
Elsewhere: +1-613-270-3700


ACKNOWLEDGMENT:
=============== 

Entrust acknowledges the assistance of Rudi Carell, who worked with us to
eliminate this vulnerability.


Copyright (c) 2001 Entrust Inc.


security () entrust com




  By Date           By Thread  

Current thread:
  • Entrust Bulletin E01-005: GetAccess Access Service vulnerability Eric Skinner (Nov 05)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault